decryption failed: secret key not available
2,090 views
Skip to first unread message
John Endress
Apr 4, 2011, 12:32:41 PM4/4/11
to Google Apps Manager
GAM 1.7, on Windows XP.
API is active. I was able to provision two users on the first day.
I am following documentation from Google Apps Manager wiki, Using GPG
with Audits.
GAM works fine.
Downloaded gpg for Windows, March 31, 2011.
Did gpg --gen-key --expert.
Resposnes to questions included:
(1) RSA and RSA <default>
RSA keysize 1024
RSA subkey 1024
Key is valid for 0 (forever)
Is this correct? Y
Real name: xxxxxxxxxx
Email address: xxxxxxxxxxxx
Comment: xxxxxxxxxxxx
Passphrase: xxxxxxxxxxxx
Next, used gpg --export --armor | C:\GAM\gam audit uploadkey
Next, ran an audit
Next, downloaded the audit file to my C:\Program Files\GNU\GnuPG
directory.
Next, tried to decrypt the file, command.
gpg --output myfile.txt --decrypt activityfile-
username-3421-0.mbox.gpg
Result: decryption failed: secret key not available.
gpg --list-keys
which produced RSA, RSA-E, ELG-E, DSA, etc.....
gpg --list-secret-keys
which produced nothing.
I tried this on April 1 (not a fools joke), and today. No success.
What am I missing?
- John
API is active. I was able to provision two users on the first day.
I am following documentation from Google Apps Manager wiki, Using GPG
with Audits.
GAM works fine.
Downloaded gpg for Windows, March 31, 2011.
Did gpg --gen-key --expert.
Resposnes to questions included:
(1) RSA and RSA <default>
RSA keysize 1024
RSA subkey 1024
Key is valid for 0 (forever)
Is this correct? Y
Real name: xxxxxxxxxx
Email address: xxxxxxxxxxxx
Comment: xxxxxxxxxxxx
Passphrase: xxxxxxxxxxxx
Next, used gpg --export --armor | C:\GAM\gam audit uploadkey
Next, ran an audit
Next, downloaded the audit file to my C:\Program Files\GNU\GnuPG
directory.
Next, tried to decrypt the file, command.
gpg --output myfile.txt --decrypt activityfile-
username-3421-0.mbox.gpg
Result: decryption failed: secret key not available.
gpg --list-keys
which produced RSA, RSA-E, ELG-E, DSA, etc.....
gpg --list-secret-keys
which produced nothing.
I tried this on April 1 (not a fools joke), and today. No success.
What am I missing?
- John
Jay Lee
Apr 4, 2011, 12:36:18 PM4/4/11
to google-ap...@googlegroups.com
Are you running GPG from the same computer you initially configured
GAM and GPG on?
GAM and GPG on?
Jay
> --
> You received this message because you are subscribed to the "Google Apps Manager" group.
> To post to this group, send email to
> google-ap...@googlegroups.com
> To unsubscribe from this group, send email to
> google-apps-man...@googlegroups.com
> For more options, visit this group at
> http://groups.google.com/group/google-apps-manager
>
John Endress
Apr 4, 2011, 12:56:21 PM4/4/11
to Google Apps Manager
Yes, same computer.
> >http://groups.google.com/group/google-apps-manager- Hide quoted text -
>
> - Show quoted text -
>
> - Show quoted text -
Jay Lee
Apr 4, 2011, 1:02:33 PM4/4/11
to google-ap...@googlegroups.com
John,
Not sure what to tell you. GPG is saying that it doesn't have access
to the secret key that can decrypt the file. Are you sure the computer
didn't get cleaned up or redone since you generated the key?
If you have no access to the original secret key you'll need start
from scratch, creating a new secret key, uploading the public key to
Google with GAM and then rerun the activity or export requests. Before
issuing those commands I'd verify that the secret key is available on
the computer. You could try encrypting a local file with the public
key and then decrypting it with the secret key. Here's a brief
tutorial:
http://www.techrepublic.com/blog/opensource/encrypting-and-decrypting-files-with-gnupg/168
Jay
John Endress
Apr 4, 2011, 2:03:54 PM4/4/11
to Google Apps Manager
Although your link provided linux/unix commands, I kept searching and
found a GPG Cheat Sheet.
Within, it suggested I could encrypt my own files. That would make a
good test, so I did.
gpg -e -u MyName -r MyName originalfile.txt
dir originalfile.txt.gpg (found it).
gpg --list-secret-keys (found them)
gpg --output newfile.txt --decrypt originalfile.txt.gpg
You need a passphrase to unlock the secret key for user:
"MyName ... (I entered passphrase)
and success! The original file I encrypted has been decrypted.
I immediately attempt to decrypt the audit file sent by Google, and I
get the "secret key not available" message.
It looks to me like the RSA Id that the Google file was encrypted
with, is different than the RSA Id I uploaded at 12:11 pm Eastern Time
today. So, I wonder
(1) How long does it take a new RSA ID to overwrite a pre-existing RSA
ID after the "uploadkey" occurs? And
(2) Do I need to create a new audit, after the "uploadkey" occurs?
On Apr 4, 1:02 pm, Jay Lee <j...@pbu.edu> wrote:
> John,
>
> Not sure what to tell you. GPG is saying that it doesn't have access
> to the secret key that can decrypt the file. Are you sure the computer
> didn't get cleaned up or redone since you generated the key?
>
> If you have no access to the original secret key you'll need start
> from scratch, creating a new secret key, uploading the public key to
> Google with GAM and then rerun the activity or export requests. Before
> issuing those commands I'd verify that the secret key is available on
> the computer. You could try encrypting a local file with the public
> key and then decrypting it with the secret key. Here's a brief
> tutorial:
>
> http://www.techrepublic.com/blog/opensource/encrypting-and-decrypting...
> >> >http://groups.google.com/group/google-apps-manager-Hide quoted text -
found a GPG Cheat Sheet.
Within, it suggested I could encrypt my own files. That would make a
good test, so I did.
gpg -e -u MyName -r MyName originalfile.txt
dir originalfile.txt.gpg (found it).
gpg --list-secret-keys (found them)
gpg --output newfile.txt --decrypt originalfile.txt.gpg
You need a passphrase to unlock the secret key for user:
"MyName ... (I entered passphrase)
and success! The original file I encrypted has been decrypted.
I immediately attempt to decrypt the audit file sent by Google, and I
get the "secret key not available" message.
It looks to me like the RSA Id that the Google file was encrypted
with, is different than the RSA Id I uploaded at 12:11 pm Eastern Time
today. So, I wonder
(1) How long does it take a new RSA ID to overwrite a pre-existing RSA
ID after the "uploadkey" occurs? And
(2) Do I need to create a new audit, after the "uploadkey" occurs?
On Apr 4, 1:02 pm, Jay Lee <j...@pbu.edu> wrote:
> John,
>
> Not sure what to tell you. GPG is saying that it doesn't have access
> to the secret key that can decrypt the file. Are you sure the computer
> didn't get cleaned up or redone since you generated the key?
>
> If you have no access to the original secret key you'll need start
> from scratch, creating a new secret key, uploading the public key to
> Google with GAM and then rerun the activity or export requests. Before
> issuing those commands I'd verify that the secret key is available on
> the computer. You could try encrypting a local file with the public
> key and then decrypting it with the secret key. Here's a brief
> tutorial:
>
Jay Lee
Apr 4, 2011, 2:26:30 PM4/4/11
to google-ap...@googlegroups.com
1) In my experience, it's pretty much instant that the new key takes
over as the signing key for requests but it certainly wouldn't hurt to
wait 15-20 minutes before issuing the request to be sure.
over as the signing key for requests but it certainly wouldn't hurt to
wait 15-20 minutes before issuing the request to be sure.
2) Yes, you'll need to resubmit the requests.
Jay
John Endress
Apr 4, 2011, 3:29:54 PM4/4/11
to Google Apps Manager
Working on it.
I'll write again tomorrow.
> >> >> >http://groups.google.com/group/google-apps-manager-Hidequoted text -
I'll write again tomorrow.
John Endress
Apr 5, 2011, 3:30:35 PM4/5/11
to Google Apps Manager
Thank you for your answers. They helped.
Because I was new using a "keyring" when failures occured I'd create a
new gpg key, which was incompatible with previous activity requests.
My PC is "cleaned" overnight, which is why my keys were "gone" each
morning.
So, I started anew today, created a new key, and submitted an audit
export download at 11:44 am Eastern time.
At 3:04 pm (same day), the request changed from PENDING to COMPLETED.
That's three hours and twenty minutes for a mailbox that has only
fourteen e-mails in it.
I was able to download the file, and open it. Like I said, your
answers helped, thank you.
Now that I know how this works, I face the task of training people who
are used to GroupWise how this works. They are used to being able to
provide instant answers to e-mail situational problems (Suzy e-mails
threats to Carol, etc...) and they're not going to be happy with
"well, wait three hours and maybe I'll get back to you" type of
answer. It's not yor fault, I know, but if you have an idea of how to
do this faster, I'm listening.
- John
> >> >> >http://groups.google.com/group/google-apps-manager-Hidequoted text -
Because I was new using a "keyring" when failures occured I'd create a
new gpg key, which was incompatible with previous activity requests.
My PC is "cleaned" overnight, which is why my keys were "gone" each
morning.
So, I started anew today, created a new key, and submitted an audit
export download at 11:44 am Eastern time.
At 3:04 pm (same day), the request changed from PENDING to COMPLETED.
That's three hours and twenty minutes for a mailbox that has only
fourteen e-mails in it.
I was able to download the file, and open it. Like I said, your
answers helped, thank you.
Now that I know how this works, I face the task of training people who
are used to GroupWise how this works. They are used to being able to
provide instant answers to e-mail situational problems (Suzy e-mails
threats to Carol, etc...) and they're not going to be happy with
"well, wait three hours and maybe I'll get back to you" type of
answer. It's not yor fault, I know, but if you have an idea of how to
do this faster, I'm listening.
- John
Gerard Duerrmeyer
Apr 9, 2011, 11:15:10 AM4/9/11
to google-ap...@googlegroups.com, John Endress
Mr. Endress,
This isn't likely the answer you want to hear, but given the hostile sounding environment you are dealing with you probably want to pay extra for Google/Postini's Messaging Discovery product.
You can read more about it here: http://www.google.com/postini/discovery.html
It is a specialized product geared more specifically for what you are trying to do. I hope this helps.
The audit API is meant more for an after the fact investigation scenario which is not time critical. The Discovery product is meant for real-time as you described.
I hope this helps.
Cheers,
GD
Kirti Deshmukh
Apr 12, 2011, 7:44:30 AM4/12/11
to Google Apps Manager
Hi Jay,
I am also facing the same problem about decrypting the downloaded
mailbox.
I am decrypting on the same machine where I have created the public
key.
My machine is not formatted after the key is generated. In fact I can
see the required secret key using the list scret key command.
when I ran the following command
"gpg --output <new decrypted file> --decrypt <encrypted file>"
Following is the message shown on command prompt.
"You need a passphrase to unlock the secret key for
user: "User Example <exa...@domain.com>"
2048-bit RSA key, ID C4AD4833, created 2011-04-06
Enter Passphrase: "
I am not sure which file to use for providing the secret key.
Can you please help me here?
On Apr 4, 10:02 pm, Jay Lee <j...@pbu.edu> wrote:
> John,
>
> Not sure what to tell you. GPG is saying that it doesn't have access
> to the secret key that can decrypt the file. Are you sure the computer
> didn't get cleaned up or redone since you generated the key?
>
> If you have no access to the original secret key you'll need start
> from scratch, creating a new secret key, uploading the public key to
> Google with GAM and then rerun the activity or export requests. Before
> issuing those commands I'd verify that the secret key is available on
> the computer. You could try encrypting a local file with the public
> key and then decrypting it with the secret key. Here's a brief
> tutorial:
>
> http://www.techrepublic.com/blog/opensource/encrypting-and-decrypting...
>
> Jay
> >> >http://groups.google.com/group/google-apps-manager-Hide quoted text -
I am also facing the same problem about decrypting the downloaded
mailbox.
I am decrypting on the same machine where I have created the public
key.
My machine is not formatted after the key is generated. In fact I can
see the required secret key using the list scret key command.
when I ran the following command
"gpg --output <new decrypted file> --decrypt <encrypted file>"
Following is the message shown on command prompt.
"You need a passphrase to unlock the secret key for
2048-bit RSA key, ID C4AD4833, created 2011-04-06
Enter Passphrase: "
I am not sure which file to use for providing the secret key.
Can you please help me here?
On Apr 4, 10:02 pm, Jay Lee <j...@pbu.edu> wrote:
> John,
>
> Not sure what to tell you. GPG is saying that it doesn't have access
> to the secret key that can decrypt the file. Are you sure the computer
> didn't get cleaned up or redone since you generated the key?
>
> If you have no access to the original secret key you'll need start
> from scratch, creating a new secret key, uploading the public key to
> Google with GAM and then rerun the activity or export requests. Before
> issuing those commands I'd verify that the secret key is available on
> the computer. You could try encrypting a local file with the public
> key and then decrypting it with the secret key. Here's a brief
> tutorial:
>
>
> Jay
Jay Lee
Apr 12, 2011, 7:48:02 AM4/12/11
to Google Apps Manager
The passphrase is the password you set when you created the secret key
with the:
gpg --gen-key --expert
command. If you don't remember it, try some of your "common"
passwords. If you can't figure out what it is, you'll unfortunately
need to start again from scratch.
Jay
with the:
gpg --gen-key --expert
command. If you don't remember it, try some of your "common"
passwords. If you can't figure out what it is, you'll unfortunately
need to start again from scratch.
Jay
Kirti Deshmukh
Apr 12, 2011, 8:52:18 AM4/12/11
to google-ap...@googlegroups.com
Thanks Jay.
I will try and let you know. I suppose I will need to start from scratch :(.
I will try and let you know. I suppose I will need to start from scratch :(.
--
Kirti Deshmukh
Apr 13, 2011, 3:08:05 AM4/13/11
to Google Apps Manager
Thanks Jay. I am able to decrypt the file.
On Apr 12, 5:52 pm, Kirti Deshmukh <kirti7...@gmail.com> wrote:
> Thanks Jay.
>
> I will try and let you know. I suppose I will need to start from scratch :(.
>
On Apr 12, 5:52 pm, Kirti Deshmukh <kirti7...@gmail.com> wrote:
> Thanks Jay.
>
> I will try and let you know. I suppose I will need to start from scratch :(.
>
Reply all
Reply to author
Forward
0 new messages